Thursday, February 12, 2015

Technical terms are not ambiguous

I see technical terms like "interference" and "authorization" in laws. As a technical person, this confuses me. I have a different understand of these terms than how the courts might interpret them. Courts insist that these words must be interpreted using their common everyday meanings, not their technical meanings. Yet, situations are inherently technical, so the common meanings are ambiguous.

No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.

Interference seems like a common, non-technical term, but it's unlikely that's the meaning here. Interference has a very technical meaning, as demonstrated by this long Wikipedia article on "radio interference". There are entire books dedicated this this subject. It's a big technical deal, it's unreasonable to think the law means anythings else.

This is important when looking at the recent "Marriott WiFi Jamming" case, because Marriott did not cause "radio interference" or "jamming". Instead, what they did was send "deauth" packets. Using a real world analogy, jamming is like a locked door, blocking access against your will. On the other hand, a "deauth packet" is merely a Keep Out sign -- you can choose to ignore it. Indeed, I've configured my WiFi devices to ignore deauth packets, so I would not be affected by Marriott's "jamming".

The debate here isn't really over whether the definition of "interference" is technical or common. Instead, the issue is that the situation is technical. Radio interference is important because it's against your will, and there is nothing you can do avoid it. The FCC recognizes that deauths are different from "interference". It therefore allows deauth packets in most situations, only singling out Marriott's case as being disallowed by the statute. It's clearly being vague about the term in order to pursue arbitrary and prejudicial enforcement of this statute.

The same thing happens with "authorization" in the CFAA, the anti-hacking law. Authorization is a technical term, yet judges insist juries should use the common meaning of the term, such as in this recent case. This creates an unsolvable ambiguity. The Internet is defined by technical documents that declare what is "authorized" and "not authorized". This is at odds with what an average person might consider "authorized", and it's impossible for a technical person to understand the common meaning.

I have a fantasy that Tim Berners-Lee gets arrested and stands trial. The prosecution argues that his access of a website was unauthorized according to the common meaning. Berners-Lee then counters that it was authorized according to the technical meaning, and cites RFC2616 as proof. RFC2616 is the document Berners-Lee wrote defining the "web". He invented the thing. It's unreasonable to think that a jury should find something "unauthoized" that he clearly labeled as "authorized" when creating the web.

In other words, when you attach a website to the Internet, you implicitly agree to RFC2616. Likewise, when I access the website, I also implicitly agree with this document. The document delineating what "authorization" means creates an implicit agreement between us. It boggles my mind that this document doesn't have the same weight as things like Terms of Service (ToS). This document should be cited at least as often in court case as ToS documents.

The Weev case hinged partly on whether forging a "User-agent" string allowed "unauthorized" access. Reading the RFC, it's clear that the User-Agent is not an authorization mechanism. Weev would not have perceived it that way. More importantly, the owners of the website would not have seen it that way. Checking for an iPad User-Agent was a way of customizing content for the iPad, not for authorizing iPads. In the broader context, all web browsers forge User-Agent strings. Websites create better content for certain browsers, so browsers lie about their identity so their users get the better content.

The point is that it's impossible for the average person in the jury to tell if forging a User-Agent string is "unauthorized" without refering back to RFC2616 as to what "authorization" means on the web.

I'm writing this post because of this case where the judge said the following:

The root term, however — “authorization” — is not defined by the statute, and has been the subject of robust debate. One point of agreement is that “without authorization” should be given its “common usage, without any technical or ambiguous meaning.”

The judge is wrong. It's the common usage that hopelessly ambiguous; the technical meaning is relatively clear. It's the common usage of "authorization" that has lead to prejudicial and arbitrary prosecution under the CFAA. It's impossible for technical person to know what is prohibited by the statute. Moreover, it's really impossible for anybody to know what is prohibited by the statute -- nobody knows whether forging User-Agents is prohibited by the statute without a technical discussion.

2 comments:

In the quote you cited, the judge is not saying that he/she thinks that authorization ought to be defined that way. The judge is saying that it is a "point of agreement" among the courts that it should be.

The judge here is emphatically correct on the law. It's as concrete a rule of statutory construction there is that undefined terms are given their common language meaning. And this is because it would obviously be unfair to charge the general public with knowledge that is by definition not general.

Good drafting mitigates this problem by defining terms, especially when statutes deal with technical matters.

Your argument that we implicitly agree to technical documents defining internet transactions and so forth is not one the law would agree with. Knowledge of "usage of trade" and "customs of practice" are generally imputed only to those involved professionally.

I'm sympathetic to the idea that these rules are "impossible" for sophisticated people to understand though. I don't think I've ever actually heard this argument before (and I'm not totally convinced that it's true). Weev's situation struck me as one in which his conduct was entirely within the common language interpretation of "authorize," but I can sort of imagine cases in which the two would conflict.

In that case, you could argue vagueness, but even if a court agrees that a statute is vague, a lot of conduct would probably still fall into the "obviously within the scope of the prohibited conduct" exception to vagueness attacks.